Overview

overview

10

Static

static

3

Trojan-Ran...ar.exe

windows7-x64

10

Trojan-Ran...ar.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-03-2024 09:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Trojan-Ransom.MSIL.Tear.exe

  • Size

    261KB

  • MD5

    7d80230df68ccba871815d68f016c282

  • SHA1

    e10874c6108a26ceedfc84f50881824462b5b6b6

  • SHA256

    f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

  • SHA512

    64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

  • SSDEEP

    3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score
10/10
fantomevasionransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>Iow08EWFkDzO0POTC9IbxXUqpBVxw6PYUFI2y7NlvZ0nMdCANpN3zF05bzm9j2+4IPNaaF3KussAp1Smj/M9sDxS5A2JhW7R/IGyz5ggtJI5KxWE1R7Opd1Gx/vALFMLVJHo/2lL803SZ/noml2QZVziMqQ9Cw8BOQtJ6o43YeBN4Ew/hkC8KGEvbCiqVN9h7Ng+SX5GdMlo/JFiDmVHTjt+Js3gSaDoCnI4hlJEIs3iylROqdaY9VeNrd0ClAzgPJ0LeG2yHxNAVglF2IZ2tF5/NoRIY4GCbbZrlx02kZ51WdQ9xn0fZxTe8zOgf2ZBSr2EiQyR1B6vfolnnKw0iw==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Signatures

  • Fantom

    Ransomware which hides encryption process behind fake Windows Update screen.

    ransomwarefantom
  • Renames multiple (1787) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.MSIL.Tear.exe
    "C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.MSIL.Tear.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      PID:1132

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML
    Filesize

    1KB

    MD5

    587f3297f6a1a67e3a895be6b5a21def

    SHA1

    c9662d0c8f266719aef538e895fac841ac0be583

    SHA256

    c63d06bcc4b9a241150d6df9a5b91b20851142631d01851977cc144b4344da49

    SHA512

    41ec50d461d15f0f2644cc3bb48714cd937d8aba50c5a280c59e32d63cdd68f23df29fdb80160f4830b22df178346381bd06faf89031f4119075df17e80f92c7

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
    Filesize

    160B

    MD5

    e1149f67f63a806d5ad9a0cec55a18f8

    SHA1

    3b55997ec79ab93a562f296d21b6b63f148c87e9

    SHA256

    e69cd38d9d1d93e09966ecab7fa52f68a0be76af6cf2c49abfb5d0c2fd422f3c

    SHA512

    effbca5ef35a7b197f3b4a7bb003522a7366f84ce7452b0a741af047a7e351718c5bd7818097e45836e98e76a2df55ff7624a619f42d4ee2c54c49fd6bec23b4

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
    Filesize

    12KB

    MD5

    1c7362eafb7ef76646b14ef513f0641f

    SHA1

    2c4d47ee3f80c606cb248830efaedda70b85304e

    SHA256

    031da9b53b13426b1436943bc011da291375eca4b09df484cab9f6e2c21f90a5

    SHA512

    3ca79fedfdbfe1483d570d17797fb351958ef33d09ad70a57be3b1877a09753f70bb07504912a8734d14689396042c1c7c018b29e54dcd255fa4f688e6130fe1

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
    Filesize

    8KB

    MD5

    90bfc58696dc8d7e7f4a27d29e62c4bf

    SHA1

    552864b92d0a3112467c3e1b48eda48e0d97aa8a

    SHA256

    eadf70eef7344ab16056de2260e19f0a6b2ccfff6e1bd9899d0116cfa7672505

    SHA512

    7d6d1bd0d45c8a1bc4ff3534ddf0b645b65bdb7c9395fc9d1d86cc5e99357546472d3f5d1a596ca15680ea02597f2d5cd5841c4c9258ca1893878757d0a7291c

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    5f7c620c82c28f09525caf9dfdfa32c6

    SHA1

    b2f9be0a43d5210c8a8a8d1a5e694a6a3dfc8e5f

    SHA256

    9bdb9f72fabe49529ad02dd8cfcfdc91359fafc85603cf4704fd6f2f9de933b8

    SHA512

    e961cd4fcc277e5c444eb7352564d7fc4f526049f52460fd9ecc0d182949a13d8897e65891a56d56698790b0c7bf334bc7a94e5d697b3962b812abd9d8aaeeb0

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    8faab820533b49a155aa9535fa1af320

    SHA1

    76f3eda0aa53d4dd7f04625e33ee9baaae206f5d

    SHA256

    a00107f7f591261ea93ae4c79e231506ee809bdb28d8e637eb61153054d583d7

    SHA512

    a09feea68a32f1dcf43b19db3946c6b7d7e21665536db1284236f59971f54f16f05678b1571cc9b08ae6db5443419ea97a8437cad21440f5bb4f83fc502c6f12

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    172KB

    MD5

    ef7f4fa2b95e15351474b59c576e678e

    SHA1

    31a434dcda6309c6319d1b56fe93cee222e167af

    SHA256

    18d925ac53d1d789d373dffb5c53dab3af19608292af2acf6e4a1bfa53214e04

    SHA512

    1c490b89334adb278bd332c2076aba79cf3175e59dc266c288da6977324357eb866ec74ed62c4a390268ca8ed79048e057c0ed015880c77c98ebb704e33eb28f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • memory/1132-869-0x000000001B0E0000-0x000000001B160000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1132-680-0x000000001B0E0000-0x000000001B160000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1132-672-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1132-303-0x000000001B0E0000-0x000000001B160000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1132-210-0x000000001B0E0000-0x000000001B160000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1132-206-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1132-142-0x00000000000E0000-0x00000000000EC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2924-25-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-69-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-27-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-29-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-33-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-31-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-37-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-35-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-41-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-39-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-43-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-47-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-45-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-49-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-53-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-51-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-55-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-59-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-57-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-61-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-63-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-67-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-65-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-23-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-130-0x0000000004900000-0x0000000004940000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2924-131-0x00000000004A0000-0x00000000004A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2924-132-0x0000000074690000-0x0000000074D7E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2924-133-0x0000000004900000-0x0000000004940000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2924-134-0x0000000004900000-0x0000000004940000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2924-135-0x0000000002250000-0x000000000225E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2924-0-0x0000000001FF0000-0x0000000002022000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2924-21-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-17-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-19-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-15-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-11-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-13-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-9-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-7-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-6-0x0000000002020000-0x000000000204B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2924-5-0x0000000002020000-0x0000000002052000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2924-4-0x0000000004900000-0x0000000004940000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2924-3-0x0000000004900000-0x0000000004940000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2924-2-0x0000000004900000-0x0000000004940000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2924-1-0x0000000074690000-0x0000000074D7E000-memory.dmp

    Filesize

    6.9MB

    Download